Posted on Wednesday, November 3rd, 2010 | Bookmark on del.icio.us

Attack Severs Burma Internet

by Craig Labovitz

Back in 2007, the Burmese government reportedly severed the country’s Internet links in a crackdown over growing political unrest.

Yesterday, Burma once again fell off the Internet. Over the last several days, a rapidly escalating, large-scale DDoS has targeted Burma’s main Internet provider, the Ministry of Post and Telecommunication (MPT), disrupting most network traffic in and out of the country.

While the motivation for the attack is unknown, Twitter and Blogs have been awash in speculation ranging from blaming the Burma / Myanmar government (preemptively disrupting Internet connectivity ahead of the November 7 general elections) to external attackers with still mysterious motives. The Myanmar Times reports the attack has been ongoing since October 25th (and adds the attack may impact Burma’s tourist industry).

We estimate the Burma DDoS between 10-15 Gbps (several hundred times more than enough to overwhelm the country’s 45 Mbps T3 terrestrial and satellite links). The DDoS includes dozens of individual attack components (e.g. TCP syn, rst flood) against multiple IP addresses within MPT’s address blocks (203.81.64.0/19, 203.81.72.0/24, 203.81.81.0/24 and 203.81.82.0/24). The attack also appears fairly well-distributed — ATLAS data shows attack traffic across 20 or more providers with a broad range of source addresses.

A summary of the attack statistics in the chart below:


burma ddos summary

Most Burma Internet traffic goes through IPTel AS45419 (you can see a nice graph of the connectivity using HE’s ASInfo tool). And in turn, IPTel gets connectivity from Tata AS6453 (the majority of traffic), Beyond the Network AS3491 and NTT AS2914 amongst others. More information on MPT’s network is available on their home page (but this web site — and all of Burma for that matter — is currently unreachable).

Burma also lost Internet connectivity last Spring after the accidental severing of the trans-pacific SEA-ME- WE3 cable.

The DDoS (and possibly traffic engineering to mitigate the attack) generated hundreds of routing updates throughout the course of the day. Some sample BGP flaps from ATLAS routviews below:


11/02/10 03:50:16 Announce 203.81.81.0/24 XXXX 45419 45419 9988
11/02/10 03:53:25 Announce 203.81.81.0/24 XXXX 4766 4651 45419 45419 9988
11/02/10 03:53:51 Announce 203.81.81.0/24 XXXX 45419 45419 9988
11/02/10 04:04:56 Announce 203.81.81.0/24 XXXX 4766 4651 45419 45419 9988
11/02/10 04:04:56 Announce 203.81.81.0/24 XXXX 4766 4651 45419 45419 9988
11/02/10 04:05:24 Announce 203.81.81.0/24 XXXX 45419 45419 9988
11/02/10 04:05:24 Announce 203.81.81.0/24 XXXX 45419 45419 9988
11/02/10 04:08:32 Announce 203.81.81.0/24 XXXX 4766 4651 45419 45419 9988
11/02/10 04:08:58 Announce 203.81.81.0/24 XXXX 45419 45419 9988
11/02/10 04:11:42 Announce 203.81.81.0/24 XXXX 4766 4651 45419 45419 9988
11/02/10 04:12:09 Announce 203.81.81.0/24 XXXX 45419 45419 9988
11/02/10 04:12:09 Announce 203.81.81.0/24 XXXX 45419 45419 9988
11/02/10 04:17:30 Announce 203.81.81.0/24 XXXX 4766 4651 45419 45419 9988
11/02/10 04:17:30 Announce 203.81.81.0/24 XXXX 4766 4651 45419 45419 9988

In the last two graphs, I show traffic to Burma (AS9988) through 80 randomly selected ATLAS ISPs. The top graph shows the height of the DDoS over last two days and the bottom provides a view of the escalating traffic over the last week. Normally Burma traffic peaks around 100 Mbps. Over the course of the week, the rapidly escalating attack jumped into a sustained multi-gigabits per second. All times are EST.

A quick look at anonymous ASPath traffic data suggests a number of upstreams have begun to blackhole traffic to MPT address space in response to the attack.

burma ddos


escalating burma ddos week view

While DDoS against e-commerce and commercial sites are common (hundreds per day), large-scale geo-politically motivated attacks — especially ones targeting an entire country — remain rare with a few notable exceptions. At 10-15 Gbps, the Burma attack is also significantly larger than the 2007 Georgia (814 Mbps) and Estonia DDoS. Early this year, Burmese dissident web sites (hosted outside the country) also came under DDoS attacks.

At present I do not know the motives for this attack but our past DDoS analysis have observed the gamut from politically motivated DDoS, government censorship, extortion and stock manipulation. I’ll update this blog if I get more details.

Credit to Jose Nazario for assisting with some of this analysis.

- Craig

 
 

Popularity: 5% [?]

This entry was posted on Wednesday, November 3rd, 2010 at 12:00 pm and is filed under Arbor Networks - DDoS Experts, ATLAS, Attacks and DDoS Attacks, Botnets, Critical Infrastructure, Hacktivism, Interesting Research, Political DDoS. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

46 Responses | Add your own



Comment Post by: Myanmar PTT (Service Provider) gets punishing DDoS Attacks | DoS Attacks — November 3rd, 2010 @ 2:00 pm EST  Reply

[...] a massivs DDoS Attack. Arbor Network’s Security Engineering & Response Team (SERT) is reporting on their blog, that the country’s defacto service provider, Ministry of Post and Telecommunication was [...]

Comment Post by: Cooper — November 3rd, 2010 @ 2:17 pm EST  Reply

Hi,

Can the above images be used with reference to Arbor Networks? Would like to expand on this topic… and your images are great.

Best Regards,
Cooper

Comment Post by: From the Listening Post… 11/04/2010 (a.m.) « Sean Lawson, Ph.D. — November 3rd, 2010 @ 8:44 pm EST  Reply

[...] Attack Severs Myanmar Internet | Security to the Core | Arbor Networks Security [...]

Comment Post by: Birmânia é desconectada da internet em ataque distribuído de DoS | Pablo Ximenes — November 3rd, 2010 @ 10:00 pm EST  Reply

[...] informações: http://asert.arbornetworks.com/2010/11/attac-severs-myanmar-internet/ http://pt.wikipedia.org/wiki/Myanmar Esta entrada foi publicada em Outros e marcada com a tag [...]

Comment Post by: Kelvin Minn Kyaw — November 4th, 2010 @ 2:15 am EST  Reply

Dear Craig;
maybe all of your info is correct but what we can some info from Burma about internet situation is totally difference and later will come on Burma Media soon lastly tomorrow evening.
In, My question is Under DDoS attack to their ISP, How can we send 2 or 3 MB files to/from Naypyidaw by gtalk?

Comment Post by: Burma Taken Off-Net By Cyber Attack | eWEEK Europe UK — November 4th, 2010 @ 6:53 am EST  Reply

[...] to analysis by Arbor Networks the cyber-warfare attack, which centred on the main Myanmar internet provider, the state-owned [...]

Comment Post by: Enrique — November 4th, 2010 @ 10:44 am EST  Reply

This is a great post. Thanks Craig & Jose.

Technically, would it be possible for the Burmese authorities to self-mount such an attack to shut down their own people’s internet? (and keep it up for gov and military servers, based on The Irrawaddy article)

Also, what is the tech evidence that can support the claim of a politically motivated attack?

Comment Post by: Craig Labovitz — November 4th, 2010 @ 11:16 am EST  Reply

Enrique — the prevalence / accessibility of large botnets (including infrastructure for hire), means just about anyone with money and motive can launch a large-scale DDoS. I have read lots of speculation in the press about the Burma DDoS, but I have no insight into the motives for this attack.

Comment Post by: Enrique — November 4th, 2010 @ 11:59 am EST  Reply

Thanks Craig. There is some especulation indeed. e.g. The brief piece in http://thenextweb.com/asia/2010/11/04/burmas-internet-services-under-attack-pre-election-timely/ may be a bit misleading:

“Arbor Networks says that analysis of similar events were often proved to be politically motivated”

Comment Post by: Karl — November 4th, 2010 @ 12:50 pm EST  Reply

I used to work for the Burmese Internet provider. These attacks were not uncommon during sensitive situations, and were a particular headache.

Funny how they hit only during office hours, isn’t it….

Comment Post by: DDoS-Attacken legen in Burma Internet lahm : netzpolitik.org — November 4th, 2010 @ 1:21 pm EST  Reply

[...] dem 25. Oktober finden immer wieder DDoS-Attacken auf viele verschiedene Server in Burma statt. Vorgestern erreichten sie einen Umfang von 10-15 Gbps, tausendfach genug, um die insgesamt zu 45 [...]

Comment Post by: John Steed — November 4th, 2010 @ 1:30 pm EST  Reply

According to the sources close to MPT (not PTT by the way), they are using Arbor PeakFlow and engineers from Arbor Networks to mitigate the attack. Does this mean Arbor PeakFlow cannot mitigate the attack that are of 10-15gbps?

Comment Post by: George — November 4th, 2010 @ 2:46 pm EST  Reply

God Help The Keren.

Comment Post by: Burma hit by massive net attack « Alex's World News Worth Reading — November 4th, 2010 @ 3:03 pm EST  Reply

[...] Writing about the attack, Dr Craig Labovitz from Arbor Networks said the gigabits of traffic was “several hundred times more than enough” to swamp these links. [...]

Comment Post by: Country of Myanmar DDoS « MadMark's Blog — November 4th, 2010 @ 5:01 pm EST  Reply

[...] is certainly a massive DDoS attack, estimated at between 10 – 15 Gigabytes per second of bandwidth being focused on the country’s Ministry of Post and Telecommunication, the main [...]

Comment Post by: DDoS Attack on Myanmar Takes the Country Offline | Your Shopping Resource — November 4th, 2010 @ 8:37 pm EST  Reply

[...] Networks said in a blog post says that the attacks targeted the main Internet provider, the Ministry of Post and [...]

Comment Post by: Burma: Netzattacke legt Internet lahm- Wahlen am 7. November | Online Presseportal — November 4th, 2010 @ 8:47 pm EST  Reply

[...] bei Firmen ist keine Seltenheit, aber ein Angriff auf ganze Staaten ist schon außergewöhnlich. Dr. Craig Labovitz von Arbor Networks berichtet, dass das Netzwerk in Burma eine Datenübertragungsrate von 45 Mbits per Sekunde [...]

Comment Post by: DDOS Attack on Myanmar Takes the Country Offline- The Hackers Edge — November 4th, 2010 @ 9:32 pm EST  Reply

[...] The main Internet provider for Myanmar, the southeast Asian nation formerly known as Burma, has been under severe denial of service attack for some time now, according to the Myanmar Times. A blog post by Arbor Networks goes into technical detail about the attacks. [...]

Comment Post by: Peter — November 5th, 2010 @ 1:26 am EST  Reply

Which groups gain in this attack?
1. Activist groups? May not. Because they lose information from inside Burma.
If they did, they could be an idiot.

2. Government? May be. Because they don’t need more information flow to the world for incoming election? You’ll be the judge.

Comment Post by: La Birmanie coupée de l’Internet — November 5th, 2010 @ 7:57 am EST  Reply

[...] Voir aussi le post d’Arbor SERT [...]

Comment Post by: Yves — November 5th, 2010 @ 12:24 pm EST  Reply

What is the situation today (Nov 5th) ? Has traffic in and out of Burma been restored ?
Thank you

Comment Post by: Bob Jones — November 5th, 2010 @ 2:01 pm EST  Reply

Arbor Networks provides equipment that is proven to mitigate these attacks. There are numerous service providers using the equipment (Adversor.net is one example). Why aren’t those responsible to networks taking the threat seriously and investing in protection. Some services are cloud-based and don’t even require up front investment. With the potential cost of an attack being so high, I seems illogical not to be protected.

Comment Post by: Myanmar se queda callado por ataques de DDoS | bSecure — November 5th, 2010 @ 3:54 pm EST  Reply

[...] acuerdo con Craig Lavobitz analista de seguridad para Arbor Networks desde finales de octubre medios de comunicación del [...]

Comment Post by: Ataques de DDoS tiran sistemas de comunicación en Myanmar | www.Netmedia.info — November 5th, 2010 @ 4:12 pm EST  Reply

[...] acuerdo con Craig Labovitz analista de seguridad para Arbor Networks desde finales de octubre medios de comunicación del [...]

Comment Post by: Burma knocked out of DDoS Attack | GiXtech.org — November 5th, 2010 @ 10:06 pm EST  Reply

[...] arbornetworks.com No related content found. Bookmark on Delicious Digg this post Recommend on Facebook Buzz it up [...]

Comment Post by: Digital Democracy | Burma/Myanmar Technology Research — November 6th, 2010 @ 3:02 am EST  Reply

[...] the lead up to elections in the country, information access is becoming more suspect. Arbor Networks points out that the county once again fell off the Internet. Over the course of the past several days, their [...]

Comment Post by: Project on Information Technology & Political Islam » Blog Archive » News: “Attack Severs Burma’s Internet” — November 6th, 2010 @ 4:09 pm EST  Reply

[...] Full article here. [...]

Comment Post by: Cyberattack Cripples Myanmar’s Servers, Just in Time for Election | Tech News Daily — November 7th, 2010 @ 3:15 am EST  Reply

[...] servers seem to have fallen prey to a Distributed Denial of Service (DDoS) attack that was “several hundred times” bigger than would be necessary to take down Myanmar’s frail network. At this point, [...]

Comment Post by: Burma hit by massive net attack | News Directory — November 7th, 2010 @ 1:31 pm EST  Reply

[...] Writing &#1072b&#959&#965t th&#1077 attack, Dr Craig Labovitz fr&#959m Arbor Networks &#1109&#1072&#1110d th&#1077 gigabits &#959f transfer w&#1072&#1109 "numerous hundred times more th&#1072n enough" t&#959 swamp th&#1077&#1109&#1077 links. [...]

Comment Post by: Ddos-aanvallen leggen internet in Birma lam » Clippy.be — November 8th, 2010 @ 4:59 am EST  Reply

[...] op het netwerk van het nationale Birmese telecombedrijf zou  vele malen groter zijn. Volgens de firma Arbor Networks zouden de ddos-aanvallen tijdens pieken een dataverkeer van 10 tot 15Gbps [...]

Comment Post by: Uma série de ataques DDoS contra Burma | Coruja de TI — November 8th, 2010 @ 8:32 am EST  Reply

[...] arbornetworks [...]

Comment Post by: kpt — November 8th, 2010 @ 11:48 am EST  Reply

please help our country’s web system to improve and be a never failed one. We need to use everyday for updated information. Thanks very much for your kind help.

Comment Post by: TheWay — November 11th, 2010 @ 11:35 am EST  Reply

Makes one cry to see how people are abused by stripping them from anything that can be helpful. There are people fighting against such things. Hopefully more will emerge, it’s a gruesome battle.

Comment Post by: Myanmar cut off the Internet ahead of elections « Axxera Inc. — November 11th, 2010 @ 4:08 pm EST  Reply

[...] to Craig Labovitz, Burmese T3 terrestial and satellite links have a 45 Mbps throughput, and they are currently being [...]

Comment Post by: Links for week ending 12 November 2010 | The Barefoot Technologist — November 12th, 2010 @ 6:13 am EST  Reply

[...] Attack severs Burmese internet Distributed denial of service (DDoS) attacks targeting Burma’s main internet service provider effectively took Burma offline last week. Security specialists Arbor Networks report: “While the motivation for the attack is unknown, Twitter and Blogs have been awash in speculation ranging from blaming the Burma/Myanmar government (preemptively disrupting internet connectivity ahead of the November 7 general elections), to external attackers with still mysterious motives” [...]

Comment Post by: jim trexler — November 12th, 2010 @ 3:47 pm EST  Reply

I couldn’t help but notice in the top of the article (and the traffic snapshot) you give four IP ranges. Oddly, they are all allocated to Estonia. My big list has only three for Myanmar/Burma/whatever total.

Comment Post by: jim trexler — November 12th, 2010 @ 4:28 pm EST  Reply

Oops, my bad – exclude the comment about the snapshot as it in Myanmar.

Comment Post by: Nathan Griffiths — November 15th, 2010 @ 12:12 pm EST  Reply

I’m working on an article for the JMSC at the University of Hong Kong. Do you know if the DDoS attacks still ongoing? I’m still not able to connect to the MPT website (www.mcpt.gov.mm) & Google’s cached version is from Oct28.

I would be very interested to learn of any updates on the attacks that you are aware of.

Thanks very much,
Nathan

Comment Post by: Tomas Finger — November 16th, 2010 @ 3:19 pm EST  Reply

Foreign Policy Question. Does anyone know of discussions with the State Department to help assist country’s ability to prevent DDoS attacks? Or at least a public response to the attacks? Although there are economic sanctions against Myanmar, assisting the country’s ability to handle internet traffic would aid the aid democratic elections, and allow for more intent freedom in the country. Craig, is it feasible for an outside agency to help a country’s traffic capabilities? Thoughts?

Comment Post by: Minn Kyaw — November 23rd, 2010 @ 8:56 am EST  Reply

you should read it too…
http://bma-ebook.googlecode.com/files/rap_birmanie-2.pdf
best;
MK

Comment Post by: test « study4cyberwar — November 25th, 2010 @ 7:32 pm EST  Reply

[...] Attack Severs Burma Internet article(11/2010) [...]

Comment Post by: ace — December 8th, 2010 @ 6:23 am EST  Reply

It is related to political issues. the government of Burma could also use of any reason to ban the internet to be accessed by their people. so they can’t communicate to other people outside the country.

Comment Post by: The Internet Goes to War | Data Protection and Recovery Center — December 23rd, 2010 @ 11:04 am EST  Reply

[...] the Internet and DDoS used as means of protest, censorship, and political attack is cause for concern [...]

Comment Post by: Egitto: Internet bloccato, ecco i dati del crollo — January 28th, 2011 @ 5:23 pm EST  Reply

[...] Network aveva registrato lo stesso comportamento dei service provider in occasione delle rivolte in Birmania e [...]

Comment Post by: Egitto: Internet bloccato, ecco i dati del crollo « Bestiale: — January 30th, 2011 @ 7:47 am EST  Reply

[...] Network aveva registrato lo stesso comportamento dei service provider in occasione delle rivolte in Birmania e [...]

Comment Post by: GiulianovaNews » Blog Archive » Egitto. segnalo un grafico realizzato da Arbor Networks, leader nelle soluzioni per il controllo della sicurezza delle reti mondiali, che mostra come alle h 17.20 del 27 Gennaio il traffico Internet da e verso l — February 2nd, 2011 @ 5:30 pm EST  Reply

[...] quelle che erano avvenute in Iran (http://asert.arbornetworks.com/2009/08/1132/ )o in Birmana (http://asert.arbornetworks.com/2010/11/attac-severs-myanmar-internet/), la invitiamo a visitare il blog di Arbor Networks : [...]

Leave a Comment